Thread Reader
Stephan Berger

Stephan Berger
@malmoeb

Sep 23, 2022
4 tweets
Twitter

1/ #ThreatHunting: In a compromised network, we saw the following request in the proxy logs: www.advanced-ip-scanner[.]com/checkupdate.php?[..] This scanner is trendy among ransomware groups and has been mentioned in reports by @The DFIR Report, among others. [1] 🧵

2/ This HTTP request can now be used very well for an alert. Or better, collect and monitor all your DNS logs, because a DNS request will still go out if the Advanced IP Scanner is run without an installation (portable version). An excellent opportunity for detection.
3/ You can see the DNS request for the domain www.advanced-ip-scanner[.]com below.
4/ DFIR Tip: Inside the registry (HKCU\Software\Famatech\advanced_ip_scanner\State) we can find interesting forensic artifacts like the last scanned range. 🕵️‍♀️ Reference: [1] twitter.com/TheDFIRReport/…
The DFIR Report

The DFIR Report
@TheDFIRReport

Diavol Ransomware ➡️Initial Access: Zip->ISO loading BazarLoader ➡️Discovery: Net, Ping, AdFind, Advanced IP Scanner, ShareFinder ➡️C2: #CobaltStrike & #BazarLoader ➡️Lateral Movement: RDP, AnyDesk ➡️Exfil: FileZilla, ufile ➡️Impact: Diavol ransomware thedfirreport.com/2021/12/13/dia…
Stephan Berger
Head of Investigations @InfoGuardAG • #DFIR • Threat Hunting • Azure & Active Directory Fanboy • OSCP, GXPN, GCIA, GCFA, GSE
Follow on Twitter
Missing some tweets in this thread? Or failed to load images or videos? You can try to .